Deciding how often to provide training can be a challenge for even the most seasoned risk and compliance veteran. As with many compliance-related questions, the answer is “it depends”. But depending on what? Given there are hundreds of compliance requirements with thousands of discrete task-level knowledge points, how can you begin to establish an appropriate training regimen? A simple four-step process can help you take a more logical approach to planning your training calendar.
1. Determine what’s mandatory.
First you need to be aware of legal and regulatory requirements. The Bank Secrecy Act, Regulation CC, Red Flags Rules, and Security (to name a few) require training but do not specify frequency. For these types of statutory mandates, initial training upon hire as well as periodic regular training (e.g., annually, for example) has become an industry standard. Other rules, such as Regulations X and Z do not expressly state that training must occur; however, if you did not train your staff regarding TRID or other new requirements, it would be impossible for them to comply with technical, complicated requirements. Think of these as the “must-have” category: specifically mandated by statute or regulation, or necessary to generate compliant outcomes.
2. Follow your institution’s policies.
Next, review your policies and procedures to determine if frequency is specified. If so, you need to follow those documents or update them to accurately reflect your practices. If frequency is not stated, you should consider whether your institution has implemented new or updated products or services since training was last provided. A sound practice would be to train staff before rollout; but even if you did that a refresher might also be in order to address potential staff questions or confusion. Like other compliance guidance, policies on training should reflect an understanding of the risks associated with a particular area. Higher-risk areas should be addressed through training more often and in greater depth than lower-risk areas.
3. Respond to the findings of your detective controls.
Next, review examination, audit and internal monitoring findings to determine if noted errors warrant additional training. Although training may not be the only root cause of an identified weakness, remedial training is often advisable as a corrective action, to demonstrate a good-faith effort toward complying. A sound practice would be to train (or re-train) staff as soon as possible after detecting or being notified of errors.
4. Establish routine training intervals.
If none of the above apply, it’s a sound practice to provide initial and ongoing training regarding regulations and how they impact the job duties of the personnel in your institution. For example, Regulation DD hasn’t changed in many years. Your institution’s related policies and procedures may not specify training frequency and you haven’t had any adverse findings. But do your staff remember to quote the Annual Percentage Yield when receiving a telephone request for “rates”? Requiring training at specified intervals, even if it is a refresher for experienced staff, helps ensure that your team is armed with the information to make proper on-the-job decisions about compliance.
Continuity’s RegControls™ can help your institution establish a regular training schedule. If you are a smaller institution, our controls can help you easily distribute training materials and track employee completion using the Continuity platform. If you would like more information about RegControls, please reach out to us at firstname.lastname@example.org.